International email addresses

Starting with Outlook 2016, email addresses no longer have to be written only in English. You can send mail to or receive mail from any email address regardless of the language of the email address. International email addresses (also known as EAI) work just like English email addresses, so you reply, send, and compose emails the same way.

International email addresses may be confused for one another because there are characters in different languages that look similar and may not be easily identifiable. So, it’s important to take precaution before opening attachments, clicking links within the message, or replying to emails from international addresses. Outlook 2016 will notify you if the sender’s email address contains characters from multiple languages. For more information, see International email and your safety.

Notifications

If you get a notification, click the notification message to see your available options.

If you’re not sure about an email address, be safe and don’t open attachments, click any links, or reply. Ask yourself, were you expecting an email from this person or company? If so, it’s probably safe. If not, try to contact the sender through another form of communication, like a new email message that you initiate, text message, or telephone to confirm that the original email is legitimate.

If you determine an email address is not legitimate and you don’t want to receive email from this sender anymore, right-click the message and click Junk > Block Sender.

If you decide that the email address is safe, click one of the two Add options in the notification. The email address or domain is added to your safe senders list and Outlook will no longer show the notification for that particular international address or domain.

You can also choose to do nothing and read and reply to the mail as usual. The next time you get an email from the same sender Outlook will notify you again.

International email and your safety

A language is written using a script. For example, Slovak and English are written using Latin Script. Urdu is written in Arabic script. Kashmiri can be written in both Arabic and Devanagari script. Email addresses can be in any language, and therefore, in any script or even a mixed script. This poses a security risk because attackers might fake an address using characters you don’t normally use tricking you into replying to a rogue email.

Let’s look at an example. Many characters in Latin and other scripts look similar to characters that are typically used in a traditional English email address. These similar characters can visually be mistaken for one another and an attacker can potentially trick someone into replying to a rogue email address. For example, kat.larsson@contoso.com appears to be a seemingly harmless email address but it contains a character from Cyrillic script. Look at the following table that lists the decimal code of each character present in the email address. The decimal code is how your computer interprets text.

Character

Decimal Code (Hexadecimal Code)

K

75 (0x4B)

a

1072 (0x430)

t

116 (0x74)

L

76 (0x4C)

a

97 (0x61)

r

114 (0x72)

s

115 (0x73)

s

115 (0x73)

o

111 (0x6F)

n

110 (0x6E)

As you can see, character а that appears after character K has a different code than the character a that appears after character L. а after K is a Cyrillic character and looks visually identical to a Latin a. So, kat.larsson@contoso.com (traditional English email address) is uniquely different from kat.larsson@contoso.com (email containing the Cyrillic script). If you receive an email from or a link to kat.larsson@contoso.com, how can you tell which email address it really is? You can’t. When Outlook identifies an email address written in multiple scripts, it will give you a notification. This is your signal to take some precautions and verify the sender before opening attachments, clicking on links within the message, replying, or adding the sender or domain to your Safe List. This reduces your chances of unknowingly replying to a rogue email address or clicking on a malicious link or attachment.

Similar confusable characters appear in other scripts as well. You can see a list of confusable characters at The Unicode Consortium’s confusables list.

I have already replied to a rogue email address. Now what?

Unfortunately, there’s not much you can do if you’ve already replied to a rogue email address. To prevent future mail from this address you can Block a mail sender. To block a sender, right-click on a message from the sender and click Junk > Block Sender.